Thread: Reading value from EAX at a certain address

Hello,

I am trying to make a trainer for an old single player game. Basically, I want infinite money. I found out that this address is not static, but dynamic. It changes everytime I start the game.

After some debugging I found out that the address holding the money value comes in the EAX register for a short while. I want to extract it's value.

I know how to access EAX in C:

Code:

//This works in MS VS.
int i;
__asm mov i, eax;
printf("%X\n", i);

But the value isn't there the whole time. Thus, I can't "just" save it's value somewhere else.

See my debugging logs for more info:

Code:

007e3e14 - mov ebx,[eax]
007e3e16 - add ebx,edi
007e3e18 - mov [eax],ebx //EAX = 073BBBB4 - The address holding the value of money
007e3e1a - jns 007e3e22
007e3e1c - mov [eax],00000000

How can I retrieve that address? I have already injected my dll in the games process, I can access and change the memory data locally.

Regards,
apsync.

Perhaps then you need a pointer to store the value inside the EAX register instead of an ordinary variable, as in:

Code:

int *ip;
__asm mov ip, eax;
printf("%X\n", *ip);

Originally Posted by itCbitC

Perhaps then you need a pointer to store the value inside the EAX register instead of an ordinary variable, as in:

Code:

int *ip;
__asm mov ip, eax;
printf("%X\n", *ip);

Yes, the question is WHEN/WHERE do I read the value from EAX. Obviously I can't put it on top of my main function. (Thanks for the response though, always appreciated.)

Originally Posted by brewbuck

Can you show a few more instructions prior to this piece of code? Specifically, where is the value of eax coming from?

Sure:

Code:

007E3E00 - 8b 54 24 04                - mov edx,[esp+04]
007E3E04 - 53                         - push ebx
007E3E05 - 56                         - push esi
007E3E06 - 57                         - push edi
007E3E07 - 8d 81 c8 00 00 00          - lea eax,[ecx+000000c8]
007E3E0D - be 07 00 00 00             - mov esi,00000007
007E3E12 - 8b 3a                      - mov edi,[edx]
007E3E14 - 8b 18                      - mov ebx,[eax]
007E3E16 - 03 df                      - add ebx,edi
007E3E18 - 89 18                      - mov [eax],ebx ; // BP
007E3E1A - 79 06                      - jns 007e3e22
007E3E1C - c7 00 00 00 00 00          - mov [eax],00000000
007E3E22 - 83 c2 04                   - add edx,04
007E3E25 - 83 c0 04                   - add eax,04
007E3E28 - 4e                         - dec esi
007E3E29 - 75 e7                      - jne 007e3e12
007E3E2B - e8 60 fd ff ff             - call 007e3b90
007E3E30 - 5f                         - pop edi
007E3E31 - 5e                         - pop esi
007E3E32 - 5b                         - pop ebx
007E3E33 - c2 04 00                   - ret 0004

After some thoughts, I can also do a move eax, 100000 at 007E3E18. I don't need to read any values from registers that way, however, I'm still interested how that could be achieved.

Originally Posted by apsync

Yes, the question is WHEN/WHERE do I read the value from EAX. Obviously I can't put it on top of my main function.

For that you would need timing diagrams of program flow. When does the "money" address gets loaded into the EAX register?
Without indepth information it would be hard if not impossible to get at this address without polling the EAX register periodically.

Originally Posted by itCbitC

For that you would need timing diagrams of program flow. When does the "money" address gets loaded into the EAX register?
Without indepth information it would be hard if not impossible to get at this address without polling the EAX register periodically.

Whenever I hit the "End Turn" button. I'll try to match a pattern in memory somewhere.

Do you have any manuals on this game?
What chipset does this game console use?
What bit pattern does the "end turn" key generate?
It must be possible to simulate "end turn" in software.

Look for answers to some of those questions in your manuals.
You can also post those manuals here and forum'ers will help out.